Fed Says Critical Operations Unaffected by Website Breach

The intrusion of a website the central bank uses comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security. Photographer: Andrew Harrer/Bloomberg

Feb. 6 (Bloomberg) -- The Federal Reserve found a security
breach on a website it uses to stay in touch with banks during
emergencies and said no critical operations were affected.

“The Federal Reserve system is aware that information was
obtained by exploiting a temporary vulnerability in a website
vendor product,” according to a Richmond Fed statement from Jim
Strader, a spokesman for the regional bank that runs the central
bank’s information-technology office. “This incident did not
affect critical operations of the Federal Reserve System.”

The intrusion comes less than three months after U.S.
lawmakers failed to advance legislation aimed at safeguarding
computer networks considered vital to U.S. economic and national
security.

The central bank’s Emergency Communications System was
accessed by hackers, the Richmond Fed confirmed. Banks use the
site to designate their emergency contacts who would receive
regulatory updates during crises such as natural or man-made
disasters.

“This is just another reminder of how relentless and
sweeping cyberattacks are,” said House Intelligence Committee
Chairman Mike Rogers, a Michigan Republican, in an e-mail.
“Cyberattackers, many from foreign countries, are targeting
every aspect of the American economy every day and Congress
needs to act with urgency.”

Intrusion Fixed

The Richmond Fed said “the exposure was fixed shortly
after discovery and is no longer an issue,” according to the e-mailed statement.

A group claiming to be the hacker-activist organization
known as Anonymous took responsibility for the breach. The group
posted the names, titles and e-mail addresses of more than 4,000
bankers on the pastebin.com website, said Doug Johnson, vice
president of risk management policy at the American Bankers
Association in Washington.

The information didn’t include more sensitive information
such as bank account numbers, said Johnson, whose group talked
to the Fed about the incident yesterday. The pastebin post with
the banker information was not available today.

The Fed has been working to contact every individual on the
list, he said.

“I sternly suggest those 4,000 bankers change their
passwords to all their critical systems,” including e-mail and
social media accounts, said Ronen Kenig, director of solutions
at Radware Ltd., a Tel Aviv-based network security provider.

Valuable Information

The contact information obtained in the attack on the Fed
could be valuable, as it could be used for future attacks on the
financial sector, he said. Hackers who know the names and e-mail
addresses of bankers can target them with so-called
“spearphishing” attacks, trying to get them to click on links
or attachments with malicious software that can penetrate bank
systems and exploit entire networks, Kenig said.

Many of the largest U.S. banks including Bank of America
Corp. and JPMorgan Chase & Co. were targeted by hackers in a
series of so-called denial-of-service attacks last year that
flooded the banks’ websites with traffic and caused disruptions
for online customers.

Even if damage from this attack is limited, the hacking may
contribute to fears that the government cannot protect private
information, said Jacob Olcott, a cybersecurity consultant at
GoodHarbor Security Risk Management in Washington.

Inadequate Controls

“The banks didn’t want this information publicly out there
so it probably is another case where the federal government is
not implementing appropriate security controls on a sensitive
website,” he said.

Lawmakers in Washington are considering cybersecurity
measures. Rogers, the Michigan congressman, has said he will
soon reintroduce a bill that would give companies legal
protections for sharing cyber-threat information with each other
and the government, and that would allow the government to pass
along classified cybersecurity data to the private sector.

The bill will essentially mirror legislation that the House
passed last April. That bill failed to advance in the Senate.

President Barack Obama’s administration is considering an
executive order to create voluntary cybersecurity standards for
companies operating the nation’s vital infrastructure such as
power grids and chemical plants. Obama in October signed a
separate directive authorizing the National Security Agency and
other military units to take more aggressive action to defeat
attacks on government and private computer systems.